If you run one of those demos on Microsoft Windows, you'll see pretty things happening, like calc.exe being launched behind your back.
Both Petko and I said this vulnerability is theoretically cross-platform, but as many reported it couldn't actually be reproduced on Mac OS X.
It doesn't come as a real surprise, though, since this is just another cross-application URI dispatching bug, and the Apple OS has already shown to manage this issue in a much saner way than its counterpart from Redmond.
At any rate, on Windows at least, this can be exploited to do anything the currently logged user can.
Scary, right?

This entry was posted on Wednesday, September 12th, 2007 at 1:30 pm and is filed under XSS, Mozilla, Security, NoScript. You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

11 Responses to “-82DAY: NoScript pwns Quicktime pwning Firefox”

have you ever thought about just overhauling the javascript engine in firefox to only exec the known good instead of the known bad? that is sort of the direction you're heading with noscript, but it seems to be less manageable than, say, limiting the function calls implementing in the ff javascript stack to a discrete few. thoughts?

The proof of concept doesn't work on my Firefox 2.0.0.6 under MacOS 10.4.9, and I don't have NoScript installed. When I try his POC, I first get an alert telling me that I'm trying to authenticate as username chrome%20javascript on site mozilla.org that does not require authentication, it may be an attempt to trick me, and asking if mozilla.org is the site I want to visit. Even if I click Yes, the resulting URL is not a chrome one, but is http://mozilla.org/.... followed by what looks like the attempted exploit code. Instead of running the exploit, that simply results in a 404 not found error from mozilla.org.

pdp says on his site that the vulnerability is cross-platform, and I see everyone quoting him on that, but he also said he doesn't have a Mac and hasn't tried it on one.

ever thought about just overhauling the javascript engine in firefox to only exec the known good instead of the known bad?
[...]limiting the function calls implementing in the ff javascript stack to a discrete few[...]

Can you show me what's "known good" and what's "known bad" with JavaScript?
It's a Turing complete, dynamic and the browser DOM allows it to do the same thing in a million of ways, so good luck with that.
Just to stay with the DOM API, I'd just not know where to start: XMLHttpRequest? document.cookie? window.location? Image? node.innerHTML? document.createNode?
Any suggestion is welcome...

@bugstomper:
you're right, it doesn't work on Mac OS X and the reason is quite clear. I'm updating my post to reflect this.

[...] users can protect themselves against this exploit by using the NoScript extension. According to this post at hackademix.net, the addon will prevent Petkov’s exploit from working even if a user has [...]

[...] It happened in the past and it’s happening again: a new directory traversal vulnerability with potential for private data exposure has been publicly disclosed and confirmed by Mozilla, but NoScript users are protected since August 2007. [...]

[...] It happened in the past and it’s happening again: a new directory traversal vulnerability with potential for private data exposure has been publicly disclosed and confirmed by Mozilla, but NoScript users have been protected since August 2007. [...]